XPrivacy should really come installed by default with Android: the new versions are really quite good (especially with the cloudsourcing and on-demand bits) and really highlight how atrocious most apps are with your personal data. And it is a hell of a lot more effective than relying on companies like Avast to detect and remove bad actors from the market. I've lost track of the number of times random apps (most of whom are just shells around a website) ask permissions for my full phone number, Google and Facebook accounts, contact info etc. for no reason at all. At this point, I'm scared of using Android without the module. (not that ios or windows are any better)

But, then, some companies are really upset about spoofing. For example, Swype had serious issues with that to the extent they cried they won't even be able to release their famous keyboard if they weren't be able to get personal data for their analytics. [1] So, CM team decided to not built any spoofing (the only practically working solution to the problem) in.

I see where the Swype folks are coming from, but it's a bit like the people who complained against the existence of mailinator.com a decade back. Are they seriously claiming that a company whose entire business is based on making sense of dubious data will completely break down if its analysis service gets some bad inputs? How do they deal with shady manufacturers who return wrong data?

Swype is operating in a marketplace that is full of apps crying wolf and asking for way more permissions than they need, usually for unknown purposes. For example, I like to read The Verge and use its app[1], but it has "read phone status and identity" and "modify or delete the contents of your USB storage" in its manifest, which I'm not comfortable with. There is nothing that explains what they use this information for, how long they store it, and who they share it with. Heck, my desktop browser doesn't give theverge.com this permission and yet the site functions just fine.

Why should I bare my personal data to the whole world just because one developer is too lazy to implement checks on his inputs?

If you don't handle SecurityException you deserve to lose. Google made revocation of permissions possible, but then hid the capability. They chickened out. Making permissions revocable is one of the best enhancements Google could make to Android.

Swype's issues with spoofing date back to before they were a paid app (that only happened last year). At the time, there were only two ways to get Swype:

1. Your device manufacturer paid to include Swype in their default keyboard (no IMEIs requested or desired, AFAIK). That was where they made their money, at the time.

2. You signed up for Swype's beta program, to get a free version of Swype directly from them (which you sideloaded, possibly on multiple devices and/or ROMs). To me, whether or not they "really" needed IMEIs for their statistics is beside the point. Gathering those statistics was the only thing they were getting out of their beta program, so if you didn't like that deal you should just not participate - not spoil it for other people by giving false information.

The paid version of Swype still collects location information (or at least uses the location API, according to my phone). Paying users of the keyboard would be quite justified in trying to prevent Swype from getting that information.

Yeah, I've been holding back on rooting my Nexus 5 for a while just because I don't want to deal with the full wipe, but this convinced me. Obviously this article is somewhat AV FUD (just don't download the sketchy Spanish night vision app with WRITE_SMS permissions), but it's time I got my permissions in check.

The entire store experience is the opposite of what Eric Lippert calls the Pit of Success: literally no one involved in the process is incentivized to protect your data. Developers ask for all the permissions they can get away with because users get confused by multiple warnings, users blindly click accept on everything because they've learnt they can't use the app without that, Google is blindly complicit in all this because for some reason, they think everyone is as interested in/capable of protecting user data as they are... (Or they just don't care.)

To be honest, the default approach should be making app developers only be allowed to ask for one permission at a time. This would provide a constraint where the developer would ask for permissions they need only when a user tries out a feature in the app that relies on that one permission.

Accessing the address book is another area where permissions could be made much better. No app really needs access to my entire address book. They just need to launch the built in address book and only get the information they need for the one or more contacts you choose from your address book.

I agree, but look at the grief Microsoft got when they tried it with Vista's UAC prompts... more permission popups is clearly not what the majority of users want.

I think one solution is having the prompts integrate with the sort of crowdsourcing algorithm that XPrivacy has (e.g., if >90% of users have granted the app permissions on the address book, then don't show the prompt.)

Another important feature is that the app should not know if the user has granted it the permissions it asked for. If the user doesn't want to, the system should just feed the app bogus data and let the user continue interacting with other parts of the app (as we see today, most apps don't really need the data they collect in order to work.)

This isn't the problem with UAC prompts. Their problem is that the user simply doesn't have the information to make any kind of informed decision, since the prompts are at pointless places in the lifetime of a process or give very little information on what is actually going to happen ("Do you want to allow the following program [..] to make changes to this computer?").

Android permissions, on the other hand, are reasonably fine-grained and allow the user to deduce what the app is going to do. If the app wants to send a SMS, how hard is it to popup a modal dialog that shows the target number and asks for the permission right there? That is obviously much better than showing it in one big list along with "internet access" in some nag-screen on the store.

Of course the app should know I didn't grant the permission. The only reason you revert to bogus data is because apps currently crash in horrible ways instead of handling it gracefully, as would be the case if this kind of at-the-spot permissions handling was the default.

Showing modal dialogs on every new permission request is how XPrivacy works right now, and while I understand and deal with the process, I can easily see how most people would (rightly) see it as an annoyance. I'm just saying they could easily augment it with their crowdsourced data and reduce the number of prompts, which would mean people will actually pay attention to the prompts when something bad happens.

Re: your second point, you're right, if the on-demand permissions handler were the default, more apps would handle it gracefully. However, it's not, and most apps today crash because they don't handle SecurityException when they call the android APIs. Also, you're assuming developers will act in good faith and will do whatever the users want. I would not be surprised at all if companies like Zynga, if they knew the user didn't give them the permissions, implement all sorts of dark UIs to trick/force the user to give them their data.

Should we not protect users just because they're too trusting with computers to realize what's going on?

A better way would be to come up with a smart grouping profile for apps that want reasonable common combinations. For example, "Standard application that can access your INTERNET". Give it a nice screen. "Standard application application that can USE YOUR CAMERA and access your INTERNET" would get a big question mark icon.

For any app that wants any weird combination outside the standards, make it opt in like you say - one permission at a time. With each requiring a screaming skull and crossbones.

If you did that, you could integrate more fine-grained permissions into a small number of supported profiles, and developers would be strongly discouraged from choosing anything outside that combination.

They blindly click on ACCEPT because Google stupidly lists relatively benign permissions ("network access", "read phone state", "vibrate") where they should be only listing severe ones. And the permissions they do list are often poorly explained.

Given how shady the whole premium SMS/premium number business is to begin with, it should be made legally simple to refuse all payment on charges to them.

eg. Say you notice you suddenly owe $100 on your phone bill due to a phone app causing charges to your bill (or even just because you gullibly fell for a social engineering attack), you should be able to just refuse to pay with no repercussions other than that the premium provider will be sent a notification that you refused to pay and then may block you via caller id from future use of the service.

I doubt this will ever happen since politicians generally don't give a rat's ass about consumers anymore, but it would be nice.

Bear in mind it is Avast writing this post (not exactly my favourite company at the moment, incorrectly reporting a trojan to a few users in one of my Apps), so the alarmist perspective is motivated by their business.

If the worst they can report on is an obscure and rather obviously dodgy looking App no longer on Google Play then there isn't much for us to worry about.

I thought KitKat was supposed to block apps from automatically sending SMS messages to premium numbers?

This is a nasty piece of malware, but premium SMS scam apps are nothing new to Android. So the article playing up the danger of this random, seemingly single-market focused malware (Hispanophone vs. global) isn't particularly scary.

From the analysis posted, it's trying to bypass that by not sending an SMS to a premium number. It's sending the phone number to a website, and whatever it is that is running on that website is subscribing the user to a premium service.

Yeah, it reverse bills the SMS. Android can only block your device from sending premium rate SMS, not receiving them (how could it? It's up to your network operator to handle that side of things).

The original idea with reverse-billing was that users could subscribe to services such as weather updates, which would automatically send a message once a day/week, and the user be charged upon receipt. The problem with reverse billing is that it's clearly open to substantial abuse.

It is a Spanish premium subscription number. To subscribe you need to opt-in, either by web (getting a PIN code you need to enter to confirm the subscription) or by SMS (You need to confirm by replying to a free message from the short code).

I guess this app is going through SMS opt-in, sending the reply behind the scenes.

No check, Premium SMS technically doesn't require any opt-in. Charging on SMS receipt is called "MT billing" [1] and this is how PSMS works in most countries including the US. PSMS is heavily regulated but the nature of the business today makes it unattractive for anything but fraud.

I believe XPrivacy[1] looks more promising than OpenPDroid. First of all Xposed Framework feels easier to integrate - no need to mess with full-fledged ROM embedding, just light patch to the Dalvik and reboot.

And the things I really fancy about XPrivacy is that current versions have learning mode (like `su` GUI prompts, configurable to automatically deny or allow after a timeout) and yet-underdeveloped but very promising argument-level permission controls (i.e. allows WebView's loadUrl for one URI, but not another).

That won't actually compile. Having decompiled java binaries before, the decompiler will sometimes generate things like that. I think it happens when there's a jump instruction it doesn't know what to do with.